blob: 612262087a862c2a24d478b66e27a3a4be972b4f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
#!/bin/sh /etc/rc.common
SERVICE_USE_PID=1
START=50
setup_config() {
config_get port $1 port "4443"
config_get max_clients $1 max_clients "8"
config_get max_same $1 max_same "2"
config_get dpd $1 dpd "120"
config_get predictable_ips $1 predictable_ips "1"
config_get udp $1 udp "1"
config_get auth $1 auth "plain"
config_get cisco_compat $1 cisco_compat "1"
config_get ipaddr $1 ipaddr "192.168.100.0"
config_get netmask $1 netmask "255.255.255.0"
config_get ip6addr $1 ip6addr ""
test $predictable_ips = "0" && predictable_ips="false"
test $predictable_ips = "1" && predictable_ips="true"
test $cisco_compat = "0" && cisco_compat="false"
test $cisco_compat = "1" && cisco_compat="true"
test $udp = "0" && udp="#"
test $udp = "1" && udp=""
test -z $ip6addr && enable_ipv6="#"
ipv6_addr=`echo $ip6addr|cut -d '/' -f 1`
ipv6_prefix=`echo $ip6addr|cut -d '/' -f 2`
test $auth = "plain" && authsuffix="\[/var/etc/ocpasswd\]"
mkdir -p /var/etc
sed -e "s/|PORT|/$port/g" \
-e "s/|MAX_CLIENTS|/$max_clients/g" \
-e "s/|MAX_SAME|/$max_same/g" \
-e "s/|DPD|/$dpd/g" \
-e "s#|AUTH|#$auth$authsuffix#g" \
-e "s/|PREDICTABLE_IPS|/$predictable_ips/g" \
-e "s/|CISCO_COMPAT|/$cisco_compat/g" \
-e "s/|UDP|/$udp/g" \
-e "s/|IPV4ADDR|/$ipaddr/g" \
-e "s/|NETMASK|/$netmask/g" \
-e "s/|IPV6ADDR|/$ipv6_addr/g" \
-e "s/|IPV6PREFIX|/$ipv6_prefix/g" \
-e "s/|ENABLE_IPV6|/$enable_ipv6/g" \
/etc/ocserv/ocserv.conf.template > /var/etc/ocserv.conf
}
setup_users() {
local name
local group
local password
config_get name $1 name
config_get group $1 group
config_get password $1 password
[ -z "$group" ] && group='*'
[ -z "$name" -o -z "$password" ] && return
echo "$name:$group:$password" >> /var/etc/ocpasswd
}
setup_routes() {
local routes
config_get ip $1 ip
config_get netmask $1 netmask
[ -z "$ip" -o -z "$netmask" ] && return
echo "route = $ip/$netmask" >> /var/etc/ocserv.conf
}
setup_dns() {
local routes
config_get ip $1 ip
[ -z "$ip" ] && return
echo "dns = $ip" >> /var/etc/ocserv.conf
}
start() {
local hostname iface
user_exists ocserv 72 || user_add ocserv 72 72 /var/lib/ocserv
group_exists ocserv 72 || group_add ocserv 72
hostname=`uci get ddns.myddns.domain`
[ -z "$hostname" ] && hostname=`uci get system.@system[0].hostname`
[ ! -f /etc/ocserv/ca-key.pem ] && [ -x /usr/bin/certtool ] && {
logger -t ocserv "Generating CA certificate..."
mkdir -p /etc/ocserv/pki/
certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/ca-key.pem >/dev/null 2>&1
echo "cn=$hostname CA" >/etc/ocserv/pki/ca.tmpl
echo "expiration_days=-1" >>/etc/ocserv/pki/ca.tmpl
echo "serial=1" >>/etc/ocserv/pki/ca.tmpl
echo "ca" >>/etc/ocserv/pki/ca.tmpl
echo "cert_signing_key" >>/etc/ocserv/pki/ca.tmpl
certtool --template /etc/ocserv/pki/ca.tmpl \
--generate-self-signed --load-privkey /etc/ocserv/ca-key.pem \
--outfile /etc/ocserv/ca.pem >/dev/null 2>&1
}
#generate server certificate/key
[ ! -f /etc/ocserv/server-key.pem ] && [ -x /usr/bin/certtool ] && {
logger -t ocserv "Generating server certificate..."
mkdir -p /etc/ocserv/pki/
certtool --bits 2048 --generate-privkey --outfile /etc/ocserv/server-key.pem >/dev/null 2>&1
echo "cn=$hostname" >/etc/ocserv/pki/server.tmpl
echo "serial=2" >>/etc/ocserv/pki/server.tmpl
echo "expiration_days=-1" >>/etc/ocserv/pki/server.tmpl
echo "signing_key" >>/etc/ocserv/pki/server.tmpl
echo "encryption_key" >>/etc/ocserv/pki/server.tmpl
certtool --template /etc/ocserv/pki/server.tmpl \
--generate-certificate --load-privkey /etc/ocserv/server-key.pem \
--load-ca-certificate /etc/ocserv/ca.pem --load-ca-privkey \
/etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem >/dev/null 2>&1
}
[ -f /var/run/ocserv.pid ] || {
touch /var/run/ocserv.pid
chown ocserv:ocserv /var/run/ocserv.pid
}
[ -d /var/lib/ocserv ] || {
mkdir -m 0755 -p /var/lib/ocserv
chmod 0700 /var/lib/ocserv
chown ocserv:ocserv /var/lib/ocserv
}
config_load "ocserv"
rm -f /var/etc/ocserv.conf
touch /var/etc/ocserv.conf
setup_config config
config_foreach setup_routes routes
config_foreach setup_dns dns
rm -f /var/etc/ocpasswd
touch /var/etc/ocpasswd
chmod 600 /var/etc/ocpasswd
config_foreach setup_users ocservusers
service_start /usr/sbin/ocserv -c /var/etc/ocserv.conf
}
stop() {
service_stop /usr/sbin/ocserv
}
reload() {
rm -f /var/etc/ocpasswd
touch /var/etc/ocpasswd
chmod 600 /var/etc/ocpasswd
config_foreach setup_users ocservusers
/usr/bin/occtl show status >/dev/null 2>&1
if test $? != 0;then
start
else
/usr/bin/occtl reload
fi
}
|